System and Method for Optimizing Secured Internet Small Computer System Interface Storage Area Networks

ABSTRACT

A network device includes a port coupled to a device, another port coupled to another device, and an access control list with an access control entry that causes the network device to permit log in frames to be forwarded from the first device to the second device. The network device receives a frame addressed to the second device and determines the frame type. If the frame type is a log in frame, then the frame is forwarded to the second device and another access control entry is added to the access control list. The second access control entry causes the network device to permit data frames to be forwarded from the first device to the second device. If not, then the frame is dropped based upon the first access control entry.

FIELD OF THE DISCLOSURE

The present disclosure generally relates to information handlingsystems, and more particularly relates to optimizing Internet SmallComputer System Interface storage area networks in an informationhandling system.

BACKGROUND

As the value and use of information continues to increase, individualsand businesses seek additional ways to process and store information.One option is an information handling system. An information handlingsystem generally processes, compiles, stores, or communicatesinformation or data for business, personal, or other purposes.Technology and information handling needs and requirements can varybetween different applications. Thus information handling systems canalso vary regarding what information is handled, how the information ishandled, how much information is processed, stored, or communicated, andhow quickly and efficiently the information can be processed, stored, orcommunicated. The variations in information handling systems allowinformation handling systems to be general or configured for a specificuser or specific use such as financial transaction processing, airlinereservations, enterprise data storage, or global communications. Inaddition, information handling systems can include a variety of hardwareand software resources that can be configured to process, store, andcommunicate information and can include one or more computer systems,graphics interface systems, data storage systems, and networkingsystems. Information handlings systems can also implement variousvirtualized architectures.

BRIEF DESCRIPTION OF THE DRAWINGS

It will be appreciated that for simplicity and clarity of illustration,elements illustrated in the Figures are not necessarily drawn to scale.For example, the dimensions of some elements may be exaggerated relativeto other elements. Embodiments incorporating teachings of the presentdisclosure are shown and described with respect to the drawings herein,in which:

FIG. 1 is a block diagram of a storage area network according to anembodiment of the present disclosure;

FIG. 2 illustrates a server of the storage area network of FIG. 1logging into a storage array of the storage area network;

FIG. 3 illustrates changes to the access control lists of securedswitches within the storage area network that result from the serverlogging in as illustrated in FIG. 2;

FIG. 4 illustrates disallowed transaction requests on the storage areanetwork of FIG. 1 after the server has logged into the storage areanetwork;

FIG. 5 illustrates another server of the storage area network of FIG. 1logging into the storage array;

FIG. 6 illustrates changes to the access control lists of the securedswitches that result from the server logging in as illustrated in FIG.5;

FIG. 7 illustrates a server of the storage area network of FIG. 1logging out of the storage area array;

FIG. 8 illustrates changes to the access control lists of the securedswitches that result from the server logging out as illustrated in FIG.7;

FIG. 9 is a flowchart illustrating a method of implementing a securedswitch of the storage area network of FIG. 1 according to an embodimentof the present disclosure;

FIG. 10 is a block diagram of another storage area network according toan embodiment of the present disclosure;

FIG. 11 illustrates servers of the storage area network of FIG. 10registering with an Internet Storage Name Service (iSNS) server of thestorage area network and receiving domain discovery information from theiSNS server;

FIG. 12 illustrates changes to the access control lists of securedswitches within the storage area network that result from theregistration and receipt of the domain discovery information asillustrated in FIG. 11;

FIG. 13 illustrates a server of the storage area network of FIG. 10logging into a storage array of the storage area network;

FIG. 14 illustrates changes to the access control lists of the securedswitches that result from the server logging in as illustrated in FIG.13;

FIG. 15 illustrates another server of the storage area network of FIG.10 logging into the storage array;

FIG. 16 illustrates changes to the access control lists of the securedswitches that result from the server logging in as illustrated in FIG.15;

FIG. 17 is a flowchart illustrating a method of implementing a securedswitch of the storage area network of FIG. 10 according to an embodimentof the present disclosure; and

FIG. 18 is a block diagram illustrating an information handling systemaccording to another embodiment of the present disclosure.

The use of the same reference symbols in different drawings indicatessimilar or identical items.

DETAILED DESCRIPTION OF THE DRAWINGS

The following description in combination with the Figures is provided toassist in understanding the teachings disclosed herein. The descriptionis focused on specific implementations and embodiments of the teachings,and is provided to assist in describing the teachings. This focus shouldnot be interpreted as a limitation on the scope or applicability of theteachings. Other teachings can be used in this application, and theteachings can be used in other applications and with different types ofarchitectures, such as a client-server architecture, a distributedcomputing architecture, or a middleware server architecture andassociated resources.

FIG. 1 illustrates an embodiment of a storage area network (SAN) 100that can include one or more information handling systems. For purposesof this disclosure, the information handling system may include anyinstrumentality or aggregate of instrumentalities operable to compute,classify, process, transmit, receive, retrieve, originate, switch,store, display, manifest, detect, record, reproduce, handle, or utilizeany form of information, intelligence, or data for business, scientific,control, entertainment, or other purposes. For example, an informationhandling system may be a personal computer, a PDA, a consumer electronicdevice, a network server or storage device, a switch router or othernetwork communication device, or any other suitable device and may varyin size, shape, performance, functionality, and price. The informationhandling system may include memory, one or more processing resourcessuch as a central processing unit (CPU) or hardware or software controllogic. Additional components of the information handling system mayinclude one or more storage devices, one or more communications portsfor communicating with external devices as well as various input andoutput (I/O) devices, such as a keyboard, a mouse, and a video display.The information handling system may also include one or more busesoperable to transmit communications between the various hardwarecomponents.

SAN 100 includes a network 110, a storage array 120, and client systems130. Network 110 includes Ethernet switches 111 through 115 and forms acommunication network between storage array 120 and client systems 130.Storage array 120 includes storage devices 122, 124, and 126, andprovides network storage for client systems 130. Client systems 130include servers 132 and 134. In a particular embodiment, SAN 100 isimplemented as an Internet Small Computer System Interface (iSCSI) SAN,that provides an Internet Protocol (IP)-based storage network. As such,SAN 100 can use SCSI commands over network 100 to manage storage andfacilitate data transfers between storage array 120 and client systems130. Network 110 can be implemented as a local area network (LAN), awide area network (WAN), an intranet, the Internet, another type of datanetwork, or a combination thereof. Storage devices 122, 124, and 126 canoperate as targets to receive SCSI commands, and can be implemented asone or more SCSI storage devices, as different volumes on a single SCSIstorage device, as different volumes on a Redundant Array of IndependentDrives (RAID) array of SCSI storage devices such as a RAID 5 array, aRAID 6 array, or another RAID configuration, as separate storage arrays,or as another configuration of SCSI storage devices, or a combinationthereof. Servers 132 and 134 can operate as initiators to send SCSIcommands to storage devices 122, 124, and 126, and can be implemented asseparate information handling systems or as virtual machineinstantiations on a single information handling system, as needed ordesired.

Switches 111-113 provide connectivity to the iSCSI end points (such asstorage devices 122, 124, and 126, and servers 132 and 134), and may bereferred to as edge switches. Switches 114 and 115 provide the coreconnectivity to route data in SAN 100, and may be referred to as coreswitches. SAN 100 provides the storage resources of storage array 120 toclient systems 130 based upon the storage needs of each server 132 and134. For example, server 132 can be a Windows based server with a needfor a Windows based storage capacity, and storage device 122 can beconfigured with a Windows based file system to provide that capacity.Also, server 134 can be a Linux based server with a need for a Linuxbased storage capacity, and storage device 124 can be configured with aLinux based file system to provide that capacity. Further, both servers132 and 134 can have a need for a backup storage capacity, and storagedevice 126 can be configured with a common file system to provide abackup capacity for both servers. As such, server 132 can log intostorage devices 122 and 126 through switches 112, 114, and 111, andserver 134 can log into storage devices 124 and 126 through switches113, 115, 114, and 111.

In a particular embodiment, edge switches 111-113 are secured switchesand operate to snoop the data frames that are handled by the edgeswitches to determine the source address, the destination address, theframe type, and other information related to the data frames. Further,edge switches 111-113 operate to control the flow of the data framesthat are handled by the edge switches. As such, edge switches 111-113each implement an access control list (ACL) that defines a list ofpermissions that are associated with particular data frames. Thus, edgeswitches 111-113 provide security on SAN 100 by permitting approvedframe traffic and dropping other frame traffic from the SAN. Further,edge switches 111-113 automatically respond to the changing conditionsof SAN 100 by modifying their respective ACLs to permit or drop otherframe traffic as needed or desired, and without the intervention of asystem administrator or system manager to track and maintain the ACLs ofeach individual edge switch. In operation, edge switches 111 and 112 maystart with the following default ACL:

Type=iSCSI_Log-In_Frame, permit

Type=iSCSI_Other_Frame, deny

as illustrated in FIG. 3, ACL blocks 161 and 171, for respectiveswitches 111 and 112. Here, any frame that is an iSCSI log-in frame ispermitted to pass through the edge switches 111 and 112, and any otheriSCSI frame of any other type is denied passage through the edgeswitches, and is dropped.

FIGS. 2 and 3 illustrate server 132 logging into storage devices 122 and126, and the changes to the ACLs of switches 111 and 112 as a result ofthe server logging into the storage devices, respectively. When server132 logs into storage device 122, an iSCSI log-in frame 142 is sent fromthe server, through switch 112, switch 114, and switch 111 to thestorage device. When switches 111 and 112 detect the successful log-inof server 132 to storage device 122, the switches automatically modifythe ACLs by adding the following access control entries (ACEs):

SA=132, DA=122, Type=iSCSI_Data_Frame, permit

SA=122, DA=132, Type=iSCSI_Data_Frame, permit

as illustrated in ACL blocks 162 and 172. Here, the source address (SA)and the destination address (DA) indicate a unique device identifier onthe network, and can include an IP address, a Media Access Control (MAC)address, an iSCSI Qualified Name (IQN), another unique deviceidentifier, or a combination thereof. After successful log-in, any iSCSIdata frame from server 132 that is destined for storage device 122 ispermitted, and vice versa. When server 132 logs into storage device 126,an iSCSI log-in frame 144 is sent to the storage device. When switches111 and 112 detect the successful log-in of server 132 to storage device126, the switches automatically modify their ACLs by adding thefollowing ACEs:

SA=132, DA=126, Type=iSCSI_Data_Frame, permit

SA=126, DA=132, Type=iSCSI_Data_Frame, permit

as illustrated in ACL blocks 163 and 173. Here, after successful log-in,any iSCSI data frame from server 132 that is destined for storage device126 is permitted, and vice versa.

FIG. 4 illustrates disallowed transaction requests on SAN 100 afterserver 132 has logged in to the SAN. When server 132 sends a data frame146 to storage device 124, switch 112 receives the frame, snoops theframe to determine the source address, the destination address, and theframe type, compares the information to its ACL, and determines whetherto pass the frame or to drop it. Here, because data frame 146 isaddressed to other than storage device 122 or storage device 126, theframe is dropped at switch 112. When server 134 sends a data frame 148to storage device 126, switch 113 receives the frame and forwards itthrough switches 115 and 114 to switch 111. Switch 111 snoops the frameto determine the source address, the destination address, and the frametype, compares the information to its ACL, and determines whether topass or to drop the frame. Here, because data frame 148 is neither alog-in frame, nor is it from server 132, the frame is dropped at switch111. Thus, the administration of the ACLs can be accomplished at eitherthe ingress point of network 110, or at the egress point of the network.

FIGS. 5 and 6 illustrate server 134 logging into storage devices 124 and126, and the changes to the ACLs of switches 111 and 113 as a result ofthe server logging into the storage devices, respectively. Here, switch111 retains the ACL illustrated in block 163 and switch 113 is providedwith the default ACL as illustrated in ACL block 181. When server 134logs into storage device 124, an iSCSI log-in frame 150 is sent from theserver, through switch 113, switch 115, switch 114, and switch 111 tothe storage device. When switches 111 and 112 detect the successfullog-in of server 134 to storage device 124, the switches automaticallymodify their ACLs by adding the following ACEs:

SA=134, DA=124, Type=iSCSI_Data_Frame, permit

SA=124, DA=134, Type=iSCSI_Data_Frame, permit

as illustrated in ACL blocks 164 and 182. After successful log-in, anyiSCSI data frame from server 134 that is destined for storage device 124is permitted, and vice versa. When server 134 logs into storage device126, an iSCSI log-in frame 152 is sent from the server to the storagedevice. When switches 111 and 113 detect the successful log-in of server134 to storage device 126, the switches automatically modify their ACLsby adding the following ACE:

SA=134, DA=126, Type=iSCSI_Data_Frame, permit

SA=126, DA=134, Type=iSCSI_Data_Frame, permit as illustrated in ACLblocks 165 and 183. Here, after successful log-in, any iSCSI data framefrom server 134 that is destined for storage device 126 is permitted,and vice versa.

FIGS. 7 and 8 illustrate server 132 of SAN 100 logging out of storagearray 120, and changes to the ACLs of switches 111 and 112 that resultfrom the server logging out of the storage array, respectively. Whenserver 132 logs out of storage devices 122 and 126, switches 111 and 113detect the event and automatically modify their ACLs by deleting thefollowing ACEs:

SA=132, DA=122, Type=iSCSI_Data_Frame, permit

SA=122, DA=132, Type=iSCSI_Data_Frame, permit

SA=132, DA=126, Type=iSCSI_Data_Frame, permit

SA=126, DA=132, Type=iSCSI_Data_Frame, permit

as illustrated in ACL blocks 166 and 174. Here, after server 132 islogged out, switches 111 and 112 will only permit frames from the serverthat are log-in frames, and data frames from the server will be denied.Logging server 132 out of storage devices 122 and 126 can beaccomplished by the server sending log out frames to the storagedevices, or by the server being disconnected from switch 112. As such,switches 111 and 112 can snoop the log out frames or detect that server132 has become disconnected from switch 112 and delete the ACEsaccordingly.

FIG. 9 is a flowchart illustrating a method of implementing a securedswitch on a SAN according to an embodiment of the present disclosure. Asecured switch is provided with a default ACL in block 302. The defaultACL provides that iSCSI log-in frames are permitted, and that all otheriSCSI frames are denied and are dropped in the switch. For example,switch 111 can be provided with ACL block 161. On detection of an iSCSIlog-in frame and a successful log-in, the secured switch automaticallyadds an ACE to the ACL in block 304. The added ACE provides that iSCSIdata frames are permitted between the initiator of the log-in and thetarget of the log-in. For example, switch 111 can add the ACE forpermitting server 132 to send data frames to storage device 122, asillustrated in ACL block 162. On detection of an iSCSI log-out frame anda successful log-out, or on detection that an end point has becomedisconnected from a network, the secured switch automatically deletesone or more ACE from the ACL in block 306. For example, switch 111 candelete the ACEs for permitting server 132 to send data frames to storagedevices 122 and 126, as illustrated in ACL block 166.

FIG. 10 illustrates another embodiment of a SAN 200 that includes anetwork 210, a storage array 220, client systems 230, and an InternetStorage Name Service (iSNS) server 240. Network 210 includes Ethernetswitches 211 through 215 and forms a communication network betweenstorage array 220, client systems 230, and iSNS server 240. Storagearray 220 includes storage devices 222, 224, and 226, and providesnetwork storage for client systems 230. Client systems 230 includeservers 232 and 234. In a particular embodiment, SAN 200 is implementedas an iSCSI SAN. Network 200 can be implemented as a LAN, a WAN, anintranet, the Internet, another type of data network, or a combinationthereof. Storage devices 222, 224, and 226 can operate as targets toreceive SCSI commands, and can be implemented as one or more SCSIstorage devices, as different volumes on a single SCSI storage device,as different volumes on a RAID array of SCSI storage devices such as aRAID 5 array, a RAID 6 array, or another RAID configuration, as separatestorage arrays, or as another configuration of SCSI storage devices, ora combination thereof. Servers 232 and 234 can operate as initiators tosend SCSI commands to storage devices 222, 224, and 226, and can beimplemented as separate information handling systems or as virtualmachine instantiations on a single information handling system, asneeded or desired. iSNS server 240 operates to provide for theregistration and discovery of iSCSI endpoints (such as initiators,servers 232 and 234, and targets, storage devices 222, 224, and 226),and the management and configuration of SAN 200. In particular, theiSCSI endpoints register with iSNS server 240, and are assigned to oneor more discovery domains by the iSNS server. iSNS server 240communicates with the iSCSI endpoints through exchanged of frames thatinclude iSNS protocol information.

Switches 211-213 may be edge switches and switches 214 and 215 may becore switches. SAN 200 provides the storage resources of storage array220 to client systems 230 based upon the storage needs of each server232 and 234. As in the above example, server 232 can be a Windows basedserver, server 234 can be a Linux based server, storage device 222 canbe configured with a Windows based file system, storage device 124 canbe configured with a Linux based file system, and storage device 226 canbe configured with a common file system to provide a backup capacity forboth servers. Here, the iSCSI endpoints register with iSNS server 240and the iSNS server provides each endpoint with the associated discoverydomains that they can be logged into. After receiving the discoverydomain information, server 232 can log into storage devices 222 and 226,and server 234 can log into storage devices 224 and 226.

In a particular embodiment, edge switches 211-213 are secured iSNSswitches and operate to snoop the data frames that are handled by theedge switches to determine the source address, the destination address,the frame type, and other information related to the data frames.Further, edge switches 211-213 operate to control the flow of the dataframes that are handled by the edge switches. As such, edge switches211-213 each implement an ACL. Thus, edge switches 111-113 providesecurity on SAN 200 by permitting approved frame traffic and droppingother frame traffic from the SAN. Further, edge switches 211-213automatically respond to the changing conditions of SAN 100 by modifyingtheir respective ACLs to permit or drop other frame traffic as needed ordesired, and without the intervention of a system administrator, systemmanager, or iSNS server 240 to track and maintain the ACLs of eachindividual edge switch. In operation, edge switches 211 and 212 maystart with the following default ACL:

Type=iSNS_Register_Deregister, permit

Type=iSNS_Other_Frame, deny

Type=iSCSI_Other_Frame, deny

as illustrated in FIG. 12, ACL blocks 281 and 291, for respectiveswitches 212 and 213. Here, any frame that is an iSNS register orderegister frame is permitted to pass through the edge switches 212 and213, and any iSNS frame or iSCSI frame of any other type is deniedpassage through the edge switches, and is dropped. In anotherembodiment, edge switches 212 and 213 may start with default ACLs thatonly permit iSNS register or deregister frames that are sent to iSNSserver 240. In this way, a false iSNS server is prevented from spoofingthe identity of iSNS server 240.

FIG. 11 illustrates servers 232 and 234 registering with iSNS server240, and the iSNS server providing the discovery domains for each serverback to the respective servers, and FIG. 12 illustrates the changes tothe ACLs of switches 212 and 213 as a result of the registrations andthe provision of the discovery domains. When servers 232 and 234register with iSNS server 240, iSNS registration frames 252 and 254,respectively, are sent from the servers to the iSNS server. Whenswitches 212 and 213 detect the successful registration of servers 232and 234 onto iSNS server 240, the switches automatically modify theirACLs by adding the following ACEs:

DA=232, Type=iSNS_Frame, permit (for switch 212)

DA=234, Type=iSNS_Frame, permit (for switch 213)

as illustrated in ACL blocks 282 and 292, respectively. After successfulregistration, any iSNS frames from iSNS server 240 to servers 232 and234 are permitted. After the successful registration, iSNS server 240sends a discovery domain frame 256 to server 232, and a discovery domainframe 258 to server 234. When switches 212 and 213 detect the discoverydomain frames, the switches automatically modify their ACLs to permitlog-in activity by servers 232 and 234 according to the discovery domaininformation included in discovery domain frames 256 and 258. As such,switch 212 adds the following ACEs:

SA=232, DA=222, Type=iSCSI_Log_In_Frame, permit

SA=232, DA=226, Type+iSCSI_Log_In_Frame, permit

as illustrated in ACL blocks 283, and switch 213 adds the followingACEs:

SA=234, DA=224, Type=iSCSI_Log_In_Frame, permit

SA=234, DA=226, Type+iSCSI_Log_In_Frame, permit

as illustrated in ACL blocks 283.

As iSNS endpoints, storage devices 222, 224, and 226 also register withiSNS server 240, and receive discovery domain frames from the iSNSserver. Here, when switch 211 detects the registrations and thediscovery domain frames for storage devices 222,224, and 226, the switchautomatically modifies its ACL to include the following ACEs:

DA=222, Type=iSNS_Frame, permit

DA=224, Type=iSNS_Frame, permit

DA=226, Type=iSNS_Frame, permit

SA=232, DA=222, Type=iSCSI_Log_In_Frame, permit

SA=232, DA=226, Type=iSCSI_Log_In_Frame, permit

SA=234, DA=224, Type=iSCSI_Log_In_Frame, permit

SA=234, DA=226, Type=iSCSI_Log_In_Frame, permit

as illustrated in ACL blocks 271 of FIG. 14.

FIGS. 13 and 14 illustrate server 232 logging into storage devices 222and 226, and the changes to the ACLs of switches 211 and 212 as a resultof the server logging into the storage devices, respectively. Whenserver 232 logs into storage devices 222 and 226, iSCSI log-in frames260 and 262, respectively, are sent from the server to the storagedevices. When switches 211 and 212 detect the successful log-in ofserver 232 to storage devices 222 and 226, the switches automaticallymodify their ACLs by changing the following access control entries(ACEs):

SA=232, DA=222, Type=iSCSI_Log_In_Frame, permit

to

SA=232, DA=222, Type=iSCSI_Frame, permit

SA=222, DA=232, Type=iSCSI_Frame, permit

and

SA=232, DA=226, Type=iSCSI_Log_In_Frame, permit

to

SA=232, DA=226, Type=iSCSI_Frame, permit

SA=226, DA=232, Type=iSCSI_Frame, permit

as illustrated in ACL blocks 272 and 284. After successful log-in, anyiSCSI data frames from server 232 that are destined for storage devices222 and 226 are permitted, and vice versa.

FIGS. 15 and 16 illustrate server 234 logging into storage devices 224and 226, and the changes to the ACLs of switches 211 and 213 as a resultof the server logging into the storage devices, respectively. Whenserver 234 logs into storage devices 224 and 226, iSCSI log-in frames264 and 266, respectively, are sent from the server to the storagedevices. When switches 211 and 213 detect the successful log-in ofserver 234 to storage devices 224 and 226, the switches automaticallymodify their ACLs by adding the following access control entries (ACEs):

SA=234, DA=224, Type=iSCSI_Log_In_Frame, permit

to

SA=234, DA=224, Type=iSCSI_Frame, permit

SA=224, DA=234, Type=iSCSI_Frame, permit

and

SA=234, DA=226, Type=iSCSI_Log_In_Frame, permit

to

SA=234, DA=226, Type=iSCSI_Frame, permit

SA=226, DA=234, Type=iSCSI_Frame, permit

as illustrated in ACL blocks 273 and 294. After successful log-in, anyiSCSI data frames from server 234 that are destined for storage devices224 and 226 are permitted, and vice versa.

FIG. 17 is a flowchart illustrating a method of implementing a securediSNS switch on a SAN according to an embodiment of the presentdisclosure. A secured iSNS switch is provided with a default ACL inblock 312. The default ACL provides that iSNS registration frames arepermitted, and all other iSNS or iSCSI frame are denied in the switch.For example, switch 213 can be provided with ACL block 291. On detectionof successful registration to the iSNS server, the secured iSNS switchautomatically adds an ACE to the ACL in block 314. The added ACEprovides that iSNS discovery domain frames are permitted between theinitiator of the registration and the iSNS server. For example, switch213 can add the ACE for permitting server 234 to receive iSNS discoveryframes, as illustrated in ACL block 292. On detection of the receipt ofa discovery domain frame from the iSNS server, the secured iSNS switchautomatically adds an ACE to the ACL in block 316. The added ACEprovides that iSCSI log-in frames are permitted between endpoints in acommon domain, and all other iSCSI frames are denied in the switch. Forexample, switch 213 can add the ACEs to permit server 234 to log intostorage devices 224 and 226, as illustrated in ACL block 293. Ondetection of an iSCSI log-in frame and a successful log-in, the securediSNS switch automatically adds an ACE to the ACL in block 318. The addedACE provides that iSCSI data frames are permitted between the initiatorof the log-in and the target of the log-in. For example, switch 313 canadd the ACEs for permitting server 234 to send data frames to storagedevices 224 and 226, as illustrated in ACL block 294. On detection of aniSCSI log-out frame and a successful log-out, or on detection that anend point has become disconnected from a network, the secured iSNSswitch automatically deletes one or more ACE from the ACL in block 320.

As used herein, the term “switch” includes other types of networkingequipment, including, but not limited to a router, a hub, a bridge, agateway, a repeater, another type of networking equipment, or acombination thereof. Also, in the above illustrations, ACEs were shownthat included clients 132, 134, 232, and 234 as the source device, andstorage devices 122, 224, 126, 222, 224, and 226 as the destinationdevice. It will be recognized that ACEs can be added that include thestorage devices as the source device and the clients as the destinationdevice, so that frames can be communicated in both directions. Further,it will be recognized that other types of network devices can besubstituted for the servers and the storage devices as initiators andtargets in the above embodiments. Further, as used herein, the term“frame” includes other types of data unit on a network including apacket, a datagram, another type of data unit, or a combination thereof,and the functions, features, and methods described above are generallyoperable with the other types of data units, and at various networklevels.

In a particular embodiment, a secure iSNS switch, such as switches 211,212, and 213, operates to determine if an end point is an iSNS endpoint. If so, then the ACL for the secure iSNS switch can initiallyinclude ACEs that permit the end point to only send registration framesto an iSNS server. If the endpoint is not operable as an iSNS endpoint,then the ACL can initially include ACEs that permit the end point toonly send log in frames to other end points. In another embodiment, asecure iSNS switch operates to determine if an end point is aninitiator. If so, then the ACL for the secure iSNS switch can initiallyinclude ACEs that only permit iSNS registrations frames or iSCSI log inframes from the end points. Similarly, if the secure iSNS switchdetermines that an endpoint is a target, the ACL can initially includeACEs that only permit iSCSI log in frames to the end point.

FIG. 18 is a block diagram illustrating an embodiment of an informationhandling system 400, including a processor 410, a chipset 420, a memory430, a graphics interface 440, an input/output (I/O) interface 450, adisk controller 460, a network interface 470, and a disk emulator 480.In a particular embodiment, information handling system 400 is used tocarry out one or more of the methods described herein. In anotherembodiment, one or more of the systems described herein are implementedin the form of information handling system 400.

Chipset 420 is connected to and supports processor 410, allowing theprocessor to execute machine-executable code. In a particular embodiment(not illustrated), information handling system 400 includes one or moreadditional processors, and chipset 420 supports the multiple processors,allowing for simultaneous processing by each of the processors andpermitting the exchange of information among the processors and theother elements of the information handling system. Chipset 420 can beconnected to processor 410 via a unique channel, or via a bus thatshares information among the processor, the chipset, and other elementsof information handling system 400.

Memory 430 is connected to chipset 420. Memory 430 and chipset 420 canbe connected via a unique channel, or via a bus that shares informationamong the chipset, the memory, and other elements of informationhandling system 400. In another embodiment (not illustrated), processor410 is connected to memory 430 via a unique channel. In anotherembodiment (not illustrated), information handling system 400 includesseparate memory dedicated to each of the one or more additionalprocessors. A non-limiting example of memory 430 includes static randomaccess memory (SRAM), dynamic random access memory (DRAM), non-volatilerandom access memory (NVRAM), read only memory (ROM), flash memory,another type of memory, or any combination thereof.

Graphics interface 440 is connected to chipset 420. Graphics interface440 and chipset 420 can be connected via a unique channel, or via a busthat shares information among the chipset, the graphics interface, andother elements of information handling system 400. Graphics interface440 is connected to a video display 442. Other graphics interfaces (notillustrated) can also be used in addition to graphics interface 440 asneeded or desired. Video display 442 includes one or more types of videodisplays, such as a flat panel display, another type of display device,or any combination thereof.

I/O interface 450 is connected to chipset 420. I/O interface 450 andchipset 420 can be connected via a unique channel, or via a bus thatshares information among the chipset, the I/O interface, and otherelements of information handling system 400. Other I/O interfaces (notillustrated) can also be used in addition to I/O interface 450 as neededor desired. I/O interface 450 is connected via an I/O interface 452 toone or more add-on resources 454. Add-on resource 454 is connected to astorage system 490, and can also include another data storage system, agraphics interface, a network interface card (NIC), a sound/videoprocessing card, another suitable add-on resource or any combinationthereof. I/O interface 450 is also connected via I/O interface 452 toone or more platform fuses 456 and to a security resource 458. Platformfuses 456 function to set or modify the functionality of informationhandling system 400 in hardware. Security resource 458 provides a securecryptographic functionality and includes secure storage of cryptographickeys. A non-limiting example of security resource 458 includes a UnifiedSecurity Hub (USH), a Trusted Platform Module (TPM), a General PurposeEncryption (GPE) engine, another security resource, or a combinationthereof.

Disk controller 460 is connected to chipset 420. Disk controller 460 andchipset 420 can be connected via a unique channel, or via a bus thatshares information among the chipset, the disk controller, and otherelements of information handling system 400. Other disk controllers (notillustrated) can also be used in addition to disk controller 460 asneeded or desired. Disk controller 460 includes a disk interface 462.Disk controller 460 is connected to one or more disk drives via diskinterface 462. Such disk drives include a hard disk drive (HDD) 464, andan optical disk drive (ODD) 466, and can include one or more disk driveas needed or desired. ODD 466 can include a Read/Write Compact Disk(R/W-CD), a Read/Write Digital Video Disk (R/W-DVD), a Read/Write miniDigital Video Disk (R/W mini-DVD, another type of optical disk drive, orany combination thereof. Additionally, disk controller 460 is connectedto disk emulator 480. Disk emulator 480 permits a solid-state drive 484to be coupled to information handling system 400 via an externalinterface 482. External interface 482 can include industry standardbusses such as USB or IEEE 1394 (Firewire) or proprietary busses, or anycombination thereof. Alternatively, solid-state drive 484 can bedisposed within information handling system 400.

Network interface device 470 is connected to I/O interface 450. Networkinterface 470 and I/O interface 450 can be coupled via a unique channel,or via a bus that shares information among the I/O interface, thenetwork interface, and other elements of information handling system400. Other network interfaces (not illustrated) can also be used inaddition to network interface 470 as needed or desired. Networkinterface 470 can be a network interface card (NIC) disposed withininformation handling system 400, on a main circuit board such as abaseboard, a motherboard, or any combination thereof, integrated ontoanother component such as chipset 420, in another suitable location, orany combination thereof. Network interface 470 includes a networkchannel 472 that provide interfaces between information handling system400 and other devices (not illustrated) that are external to informationhandling system 400. Network interface 470 can also include additionalnetwork channels (not illustrated).

Information handling system 400 includes one or more applicationprograms 432, and Basic Input/Output System and Firmware (BIOS/FW) code434. BIOS/FW code 434 functions to initialize information handlingsystem 400 on power up, to launch an operating system, and to manageinput and output interactions between the operating system and the otherelements of information handling system 400. In a particular embodiment,application programs 432 and BIOS/FW code 434 reside in memory 430, andinclude machine-executable code that is executed by processor 410 toperform various functions of information handling system 400. In anotherembodiment (not illustrated), application programs and BIOS/FW codereside in another storage medium of information handling system 400. Forexample, application programs and BIOS/FW code can reside in HDD 464, ina ROM (not illustrated) associated with information handling system 400,in an option-ROM (not illustrated) associated with various devices ofinformation handling system 400, in storage system 490, in a storagesystem (not illustrated) associated with network channel 472, in anotherstorage medium of information handling system 400, or a combinationthereof. Application programs 432 and BIOS/FW code 434 can each beimplemented as single programs, or as separate programs carrying out thevarious features as described herein.

In the embodiments described herein, an information handling systemincludes any instrumentality or aggregate of instrumentalities operableto compute, classify, process, transmit, receive, retrieve, originate,switch, store, display, manifest, detect, record, reproduce, handle, oruse any form of information, intelligence, or data for business,scientific, control, entertainment, or other purposes. For example, aninformation handling system can be a personal computer, a consumerelectronic device, a network server or storage device, a switch router,wireless router, or other network communication device, a networkconnected device (cellular telephone, tablet device, etc.), or any othersuitable device, and can vary in size, shape, performance, price, andfunctionality. The information handling system can include memory(volatile (e.g. random-access memory, etc.), nonvolatile (read-onlymemory, flash memory etc.) or any combination thereof), one or moreprocessing resources, such as a central processing unit (CPU), agraphics processing unit (GPU), hardware or software control logic, orany combination thereof. Additional components of the informationhandling system can include one or more storage devices, one or morecommunications ports for communicating with external devices, as wellas, various input and output (I/O) devices, such as a keyboard, a mouse,a video/graphic display, or any combination thereof. The informationhandling system can also include one or more buses operable to transmitcommunications between the various hardware components. Portions of aninformation handling system may themselves be considered informationhandling systems.

When referred to as a “device,” a “module,” or the like, the embodimentsdescribed herein can be configured as hardware. For example, a portionof an information handling system device may be hardware such as, forexample, an integrated circuit (such as an Application SpecificIntegrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), astructured ASIC, or a device embedded on a larger chip), a card (such asa Peripheral Component Interface (PCI) card, a PCI-express card, aPersonal Computer Memory Card International Association (PCMCIA) card,or other such expansion card), or a system (such as a motherboard, asystem-on-a-chip (SoC), or a stand-alone device). The device or modulecan include software, including firmware embedded at a device, such as aPentium class or PowerPC™ brand processor, or other such device, orsoftware capable of operating a relevant environment of the informationhandling system. The device or module can also include a combination ofthe foregoing examples of hardware or software. Note that an informationhandling system can include an integrated circuit or a board-levelproduct having portions thereof that can also be any combination ofhardware and software.

Devices, modules, resources, or programs that are in communication withone another need not be in continuous communication with each other,unless expressly specified otherwise. In addition, devices, modules,resources, or programs that are in communication with one another cancommunicate directly or indirectly through one or more intermediaries.

Although only a few exemplary embodiments have been described in detailherein, those skilled in the art will readily appreciate that manymodifications are possible in the exemplary embodiments withoutmaterially departing from the novel teachings and advantages of theembodiments of the present disclosure. Accordingly, all suchmodifications are intended to be included within the scope of theembodiments of the present disclosure as defined in the followingclaims. In the claims, means-plus-function clauses are intended to coverthe structures described herein as performing the recited function andnot only structural equivalents, but also equivalent structures.

1. A network device comprising: a first port coupled to a first endpoint device; a second port coupled to a second end point device; and anaccess control list comprising a first access control entry, the firstaccess control entry being operable to cause the network device topermit log in frames to be forwarded from the first end point device tothe second end point device; wherein the network device is operable to:receive a first frame from the first end point device on the first port,the first frame being addressed to the second end point device;determine a frame type for the first frame; if the frame type of thefirst frame is not a log in frame, then drop the first frame, based uponthe first access control entry; and if the frame type of the first frameis a log in frame, then: forward the first frame to the second end pointdevice; and add a second access control entry to the access controllist, the second access control entry being operable to cause thenetwork device to permit data frames to be forwarded from the first endpoint device to the second end point device.
 2. The network device ofclaim 1, wherein the network device is further operable to add a thirdaccess control entry to the access control list if the frame type of thefirst frame is a log in frame, the third access control entry beingoperable to cause the network device to permit data frames to beforwarded from the second end point device to the first end pointdevice.
 3. The network device of claim 1, wherein the network device isfurther operable to: determine that the first end point device isuncoupled from the second end point device; and in response todetermining that the first end point device is uncoupled, remove thesecond access control entry from the access control list.
 4. The networkdevice of claim 3, wherein in determining that the first end pointdevice is uncoupled from the second end point device, the network deviceis further operable to: receive a second frame from the first end pointdevice on the first port, the first frame being addressed to the secondend point device; and determine that a frame type for the second frameis a log off frame.
 5. The network device of claim 3, wherein indetermining that the first end point device is uncoupled from the secondend point device, the network device is further operable to determinethat the first end point device is uncoupled from the first port.
 6. Thenetwork device of claim 1, wherein the network device is operable as anInternet Small Computer System Interface network device.
 7. An Internetstorage name system (iSNS) network device comprising: a first portcoupled to a first end point device; a second port coupled to an iSNSserver; and an access control list comprising a first access controlentry, the first access control entry being operable to cause thenetwork device to permit iSNS registration frames to be forwarded fromthe first end point device to the iSNS server; wherein the iSNS networkdevice is operable to: receive a first frame from the first end pointdevice on the first port, the first frame being addressed to the iSNSserver; determine a frame type for the first frame; if the frame type ofthe first frame is not an iSNS registration frame, then drop the firstframe, based upon the first access control entry; and if the frame typeof the first frame is an iSNS registration frame, then: forward thefirst frame to the iSNS server; and add a second access control entry tothe access control list, the second access control entry being operableto cause the iSNS network device to permit iSNS discovery frames to beforwarded from the iSNS server to the first end point device.
 8. TheiSNS network device of claim 7, wherein the iSNS network device isfurther operable to: receive a second frame from the iSNS server, thesecond frame being addressed to the first end point device; determine aframe type for the second frame; if the frame type of the second frameis not an iSNS discovery frame, drop the second frame, based upon thefirst access control entry; and if the frame type of the second frame isan iSNS discovery frame: forward the second frame to the first end pointdevice; and add a third access control entry to the access control list,the third access control entry being operable to cause the iSNS networkdevice to permit log in frames to be forwarded from the first end pointdevice to a second end point device coupled to the iSNS network device,wherein the identity of the second end point device is determined basedupon the second frame.
 9. The iSNS network device of claim 8, whereinthe network device is operable to: receive a third frame from the firstend point device on the first port, the third frame being addressed tothe second end point device; determine a frame type for the third frame;if the frame type of the third frame is not a log in frame, drop thethird frame, based upon the third access control entry; and if the frametype of the third frame is a log in frame: forward the third frame tothe second end point device; and add a fourth access control entry tothe access control list, the fourth access control entry being operableto cause the iSNS network device to permit data frames to be forwardedfrom the first end point device to the second end point device.
 10. TheiSNS network device of claim 9, wherein the iSNS network device isfurther operable to add a fifth access control entry to the accesscontrol list if the frame type of the third frame is a log in frame, thefifth access control entry being operable to cause the iSNS networkdevice to permit data frames to be forwarded from the second end pointdevice to the first end point device.
 11. The iSNS network device ofclaim 9, wherein the iSNS network device is further operable to:determine that the first end point device is uncoupled from the secondend point device; and in response to determining that the first endpoint device is uncoupled, remove the fourth access control entry fromthe access control list.
 12. The iSNS network device of claim 11,wherein in determining that the first end point device is uncoupled fromthe second end point device, the iSNS network device is further operableto: receive a fourth frame from the first end point device, the fourthframe being addressed to the second end point device; and determine thata frame type for the fourth frame is a log off frame.
 13. The iSNSnetwork device of claim 11, wherein in determining that the first endpoint device is uncoupled from the second end point device, the iSNSnetwork device is further operable to determine that the first end pointdevice is uncoupled from the first port.
 14. A method comprising:receiving a first frame from a first end point device on the first portof a network device, the first frame being addressed to an Internetstorage name system (iSNS) server; determining a frame type for thefirst frame; if the frame type of the first frame is not an iSNSregistration frame, then dropping the first frame, based upon the firstaccess control entry, based upon a first access control entry in anaccess control list of the network device; and if the frame type of thefirst frame is an iSNS registration frame, then: forwarding the firstframe to the iSNS server; and adding a second access control entry tothe access control list, the second access control entry being operableto cause the network device to permit iSNS discovery frames to beforwarded from the iSNS server to the first end point device.
 15. Themethod of claim 14, further comprising: receiving a second frame fromthe iSNS server, the second frame being addressed to the first end pointdevice; determining a frame type for the second frame; if the frame typeof the second frame is not an iSNS discovery frame, dropping the secondframe, based upon the first access control entry; and if the frame typeof the second frame is an iSNS discovery frame: forwarding the secondframe to the first end point device; and adding a third access controlentry to the access control list, the third access control entry beingoperable to cause the network device to permit log in frames to beforwarded from the first end point device to a second end point devicecoupled to the iSNS network device, wherein the identity of the secondend point device is determined based upon the second frame.
 16. Themethod of claim 15, further comprising: receiving a third frame from thefirst end point device on the first port, the third frame beingaddressed to the second end point device; determining a frame type forthe third frame; if the frame type of the third frame is not a log inframe, dropping the third frame, based upon the third access controlentry; and if the frame type of the third frame is a log in frame:forwarding the third frame to the second end point device; and adding afourth access control entry to the access control list, the fourthaccess control entry being operable to cause the network device topermit data frames to be forwarded from the first end point device tothe second end point device.
 17. The method of claim 16, furthercomprising adding a fifth access control entry to the access controllist if the frame type of the third frame is a log in frame, the fifthaccess control entry being operable to cause the network device topermit data frames to be forwarded from the second end point device tothe first end point device.
 18. The method of claim 16, furthercomprising: determining that the first end point device is uncoupledfrom the second end point device; and in response to determining thatthe first end point device is uncoupled, removing the fourth accesscontrol entry from the access control list.
 19. The method of claim 18,wherein in determining that the first end point device is uncoupled fromthe second end point device, the method further comprises: receiving afourth frame from the first end point device, the fourth frame beingaddressed to the second end point device; and determining that a frametype for the fourth frame is a log off frame.
 20. The method of claim18, wherein in determining that the first end point device is uncoupledfrom the second end point device, the method further comprisesdetermining that the first end point device is uncoupled from the firstport.